Portable media, such as laptops, offer greater flexibility and ease of data access for staff, but increased risk for Covered Entities and Business Associates, as they have less control over laptops and other portable devices. This can lead to disastrous results, unless organizations know which portable devices contain ePHI, and they take the necessary steps to encrypt the data residing on them.
The HIPAA Security Rule Technical Safeguards contain a number of standards to guide organizations in their efforts to protect and control access to ePHI. Some of these standards are addressable rather than required. However, addressable does not mean optional.
The Security Rule clearly states that when a standard is addressable, a Covered Entity or Business Associate must assess whether it is reasonable to implement as it is written within its own environment. If not, the organization must document why it is not reasonable, and then implement an alternative that is reasonable.
Simply ignoring or disregarding addressable standards is a dangerous practice, and leaves organizations vulnerable to data breaches. These organizations may also be subject to hefty penalties for willful neglect if a breach occurs, and/or if they are audited by the Office for Civil Rights (OCR).